View Full Version : Need help with: Virtumonde / Virtumonde.generic / Virtumonde.sci
I've had some more Threads, that could be removed by Spybot.
So that's whats left and couldn't be removed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:25, on 11.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe
C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\DNA\btdna.exe
C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
C:\Programme\G DATA InternetSecurity\Firewall\GDFirewallTray.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\foobar2000\foobar2000.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\Programme\G DATA InternetSecurity\Firewall\GDFwSvc.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\Programme\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Dokumente und Einstellungen\User\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\programme\g data internetsecurity\avkkid\avkcks.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6698DC46-1319-47FF-8A3B-B0F8F92191DB} - C:\WINDOWS\system32\iifcAttr.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\ljJASkLC.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {cc48fd3f-411f-35fb-9184-b8976bb29dcc} - {ccd92bb6-798b-4819-bf53-f114f3df84cc} -
C:\WINDOWS\system32\lxufjh.dll (file missing)
O3 - Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVKTray] "C:\Programme\G DATA InternetSecurity\AVKTray\AVKTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten
Platten\F - Programme\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame
Dateien\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Programme\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programme\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Logitech-Produktregistrierung.lnk = C:\Programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: G DATA Firewall Tray.lnk = ?
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network
Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lxufjh.dll
O20 - Winlogon Notify: ljJASkLC - ljJASkLC.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH -
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir
PersonalEdition Classic\avguard.exe
O23 - Service: AVKProxy - G DATA Software AG - C:\Programme\Gemeinsame Dateien\G DATA\AVKProxy\AVKProxy.exe
O23 - Service: AVK Service (AVKService) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKService.exe
O23 - Service: AVK Wächter (AVKWCtl) - G DATA Software AG - C:\Programme\G DATA InternetSecurity\AVK\AVKWCtl.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. -
C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision
Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: G DATA Personal Firewall (GDFwSvc) - G DATA Software AG - C:\Programme\G DATA
InternetSecurity\Firewall\GDFwSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame
Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame
Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 9337 bytes
Thx in advance, Igel
pskelley
2009-01-16, 15:10
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.
I apologize for the wait, volunteers are swamped at all forums with infected computers. If you have resolved your issues, please post to let me know so I can close this topic.
We have issues before I can consider helping.
1) Appears you run more than one antivirus program, see this information:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
AntiVir PersonalEdition Classic and G DATA InternetSecurity
Only one antivirus can be running, uninstall one of those.
2) C:\Programme\DNA\btdna.exe <<< all p2p programs on the computer must be uninstalled:
File Sharing, otherwise known as Peer To Peer. (P2P)
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
3) The "Before you Post" directions must be read and followed.
http://forums.spybot.info/showthread.php?t=288
TeaTimer needs to be disabled so that its protection does not interfere with fixes.
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines. Otherwise the log is hard to read.
If you can comply with those instructions, post a new HJT log and I will take another look.
Thanks
I hope I've done everything that was mentioned.
So heres the new Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:04:23, on 16.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\runservice.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Dokumente und Einstellungen\User\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6698DC46-1319-47FF-8A3B-B0F8F92191DB} - C:\WINDOWS\system32\iifcAttr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: {cc48fd3f-411f-35fb-9184-b8976bb29dcc} - {ccd92bb6-798b-4819-bf53-f114f3df84cc} - C:\WINDOWS\system32\lxufjh.dll (file missing)
O3 - Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOKALER DIENST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETZWERKDIENST')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Logitech-Produktregistrierung.lnk = C:\Programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lxufjh.dll
O20 - Winlogon Notify: ljJASkLC - ljJASkLC.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7697 bytes
pskelley
2009-01-16, 22:58
Please read and follow the directions carefully.
1) HJT is not located and instructed in the "Before you Post" directions, follow these directions to fix that.
Download Trend Micro Hijack This™ to your Desktop
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log. <<< close HJT until I ask for a log after combofix is run.
2) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.
3) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
4) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg
Thanks
All my Antivir or Antispyware tools have been disabled. But when Combofix did the restart, Antivir enabled itself again. I turned it off again, hope that was ok?
ComboFix 09-01-16.03 - User 2009-01-17 16:32:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.2046.1496 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\User\Desktop\ComboFix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Neuer Wiederherstellungspunkt wurde erstellt
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr0.dat
c:\dokumente und einstellungen\All Users\Anwendungsdaten\Microsoft\Network\Downloader\qmgr1.dat
c:\dokumente und einstellungen\User\Anwendungsdaten\Adobe\Manager.exe
c:\dokumente und einstellungen\User\Anwendungsdaten\inst.exe
c:\windows\system32\mcrh.tmp
----- BITS: Eventuell infizierte Webseiten -----
hxxp://www.apexsearchgroup.info
hxxp://apexsearchgroup.info
Infizierte Kopie von c:\windows\system32\userinit.exe wurde gefunden und desinfiziert
Kopie von - c:\qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir wurde wiederhergestellt
.
((((((((((((((((((((((( Dateien erstellt von 2008-12-17 bis 2009-01-17 ))))))))))))))))))))))))))))))
.
2009-01-17 16:26 . 2009-01-17 16:26 <DIR> d-------- c:\programme\Trend Micro
2009-01-13 12:27 . 2009-01-13 12:27 74,582 --a------ c:\windows\system32\klkozxcahgm
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\programme\Avira
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-10 18:04 . 2009-01-10 18:36 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2009-01-10 18:04 . 2009-01-10 18:45 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-01-10 17:58 . 2008-04-14 03:23 26,624 --a------ c:\windows\system32\stu2.exe
2009-01-10 14:55 . 2009-01-10 14:55 21,396 --ah----- c:\windows\system32\mlfcache.dat
2009-01-10 14:45 . 2009-01-11 13:13 <DIR> d-------- c:\programme\mIRC
2009-01-10 14:45 . 2009-01-11 19:54 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\mIRC
2009-01-09 17:43 . 2009-01-09 17:43 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\FRISK Software
2009-01-09 17:36 . 2009-01-09 18:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-09 17:35 . 2009-01-09 18:20 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FRISK Software
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\programme\Teamspeak2_RC2
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\teamspeak2
2009-01-07 20:23 . 2009-01-07 20:23 34,064 --a------ c:\windows\system32\lhacm.acm
2009-01-07 18:54 . 2009-01-07 18:54 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\nView_Profiles
2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Logitech
2009-01-02 17:46 . 2009-01-02 17:46 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Leadertech
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-02 17:44 . 2007-11-15 10:06 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-02 17:44 . 2007-11-15 10:07 170,512 --a------ c:\windows\system32\kemutb.dll
2009-01-02 17:44 . 2007-11-15 10:07 141,840 --a------ c:\windows\system32\KemUtil.dll
2009-01-02 17:44 . 2007-11-15 10:07 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-01-02 17:44 . 2007-11-15 10:07 76,304 --a------ c:\windows\system32\KemXML.dll
2009-01-02 17:43 . 2009-01-02 17:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Logishrd
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Logitech
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\LogiShrd
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-31 17:50 . 2009-01-03 00:34 <DIR> d-------- c:\programme\Doxan
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\windows\system32\AGEIA
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\programme\AGEIA Technologies
2008-12-28 00:49 . 2008-12-28 00:50 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-28 00:46 . 2009-01-17 16:34 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-28 00:45 . 2008-12-28 00:45 <DIR> d-------- c:\windows\nview
2008-12-28 00:45 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-28 00:45 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-28 00:45 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-12-28 00:44 . 2008-12-28 00:44 <DIR> d-------- C:\NVIDIA
2008-12-22 15:49 . 2009-01-10 16:01 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\skypePM
2008-12-22 15:49 . 2008-12-22 15:49 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-22 15:47 . 2009-01-10 18:25 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 15:28 --------- d-----w c:\programme\Firefox
2009-01-16 21:17 --------- d-----w c:\programme\Burn4Free
2009-01-16 19:52 --------- d-----w c:\programme\Gemeinsame Dateien\G DATA
2009-01-16 19:50 --------- d-----w c:\programme\Super Mario Blue Twilight DX
2009-01-16 19:50 --------- d-----w c:\programme\Soulseek
2009-01-16 19:42 --------- d-----w c:\programme\Gemeinsame Dateien\InstallShield
2009-01-16 19:41 --------- d--h--w c:\programme\InstallShield Installation Information
2009-01-16 19:41 --------- d-----w c:\programme\Logitech
2009-01-16 19:38 --------- d-----w c:\programme\BitTorrent
2009-01-16 19:30 --------- d-----w c:\programme\Thunderbird
2009-01-16 17:25 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\foobar2000
2009-01-10 22:26 --------- d-----w c:\programme\Zmud
2009-01-09 12:53 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\BitTorrent
2008-12-29 19:29 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\dvdcss
2008-12-07 17:47 --------- d-----w c:\programme\foobar2000
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-20 18:21 47,360 ----a-w c:\dokumente und einstellungen\User\Anwendungsdaten\pcouffin.sys
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"ZBroadband Router Utility"="c:\dokumente und einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe" [2003-05-29 319488]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CTCheck"="c:\programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NeroFilterCheck"="c:\programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VTTimer"="VTTimer.exe" [2005-03-07 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2005-10-31 c:\windows\system32\S3Trayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\User\Startmen\Programme\Autostart\
Logitech-Produktregistrierung.lnk - c:\programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe [2007-04-09 3036688]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Logitech SetPoint.lnk - c:\programme\Logitech\SetPoint\SetPoint.exe [2009-01-02 784912]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=lxufjh.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Gate-MON V1.10.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Miranda\\miranda32.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\The All-Seeing Eye\\eye.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\E - Quake2\\Quake2\\aq2.exe"=
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-06-10 2560]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2006-02-08 806400]
.
- - - - Entfernte verwaiste Registrierungseinträge - - - -
BHO-{6698DC46-1319-47FF-8A3B-B0F8F92191DB} - c:\windows\system32\iifcAttr.dll
BHO-{ccd92bb6-798b-4819-bf53-f114f3df84cc} - c:\windows\system32\lxufjh.dll
WebBrowser-{4F11ACBB-393F-4C86-A214-FF3D0D155CC3} - (no file)
Notify-ljJASkLC - ljJASkLC.dll
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 16:35:04
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\4F72AD6D614594B9]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:90,fa,28,71,8f,1e,a3,a6
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:4d,03,2a,7c,4b,f9,e6,6b,0b,36,10,b7,04,a2,10,ae,ea,01,ec,c6,a9,8a,e8,
11,4d,18,24,30,7c,7a,91,34,7c,e8,dd,11,de,a0,da,4d,e2,db,b8,b0,3f,d0,d1,67,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTServ.dll
.
------------------------ Weitere laufende Prozesse ------------------------
.
c:\windows\system32\BRSS01A.EXE
c:\programme\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programme\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\system32\rundll32.exe
c:\programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
c:\programme\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\system32\nvsvc32.exe
c:\programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.exe
c:\programme\Canon\CAL\CALMAIN.exe
c:\programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
c:\programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Zeit der Fertigstellung: 2009-01-17 16:38:36 - PC wurde neu gestartet
ComboFix-quarantined-files.txt 2009-01-17 15:38:33
Vor Suchlauf: 12 Verzeichnis(se), 18.063.192.064 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 17,988,018,176 Bytes frei
WindowsXP-KB310994-SP2-Home-BootDisk-DEU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
233 --- E O F --- 2008-12-17 22:31:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:48:00, on 17.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Logitech-Produktregistrierung.lnk = C:\Programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: lxufjh.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7587 bytes
Uninstall_List
7-Zip 4.57
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color Common Settings
Adobe Color EU Recommended Settings
Adobe Color JA Extra Settings
Adobe Color NA Extra Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Reader 8.1.2 - Deutsch
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
AudibleManager
Audiograbber 1.83 SE
Avira AntiVir Personal - Free Antivirus
Burn4Free CD and DVD
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CDDRV_Installer
CloneDVD2
ConvertXtoDVD 3.2.0.52
Creative Systeminformationen
Creative ZEN
DivX Web Player
DVD Region+CSS Free 5.9.8.5
erLT
foobar2000 v0.9.6
GEAR 32bit Driver Installer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix für Windows XP (KB952287)
hp deskjet 930c series (nur entfernen)
Java(TM) 6 Update 6
KhalInstallWrapper
Logitech SetPoint
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
MindManager 2002
Miranda IM 0.7.13
mIRC
Mozilla Firefox (2.0.0.7)
Mozilla Firefox (3.0.5)
Mozilla Thunderbird (2.0.0.19)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MUSHclient (remove only)
My Video Converter 1.2.32
Nero 8
neroxml
NVIDIA Drivers
NVIDIA PhysX v8.09.04
PDF Settings
QuickTime Alternative 2.7.0
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI NIC Driver
Sicherheitsupdate für Windows Media Player (KB952069)
Sicherheitsupdate für Windows Media Player 9 (KB917734)
Sicherheitsupdate für Windows XP (KB923789)
Sicherheitsupdate für Windows XP (KB938464)
Sicherheitsupdate für Windows XP (KB941569)
Sicherheitsupdate für Windows XP (KB946648)
Sicherheitsupdate für Windows XP (KB950759)
Sicherheitsupdate für Windows XP (KB950760)
Sicherheitsupdate für Windows XP (KB950762)
Sicherheitsupdate für Windows XP (KB950974)
Sicherheitsupdate für Windows XP (KB951066)
Sicherheitsupdate für Windows XP (KB951376)
Sicherheitsupdate für Windows XP (KB951376-v2)
Sicherheitsupdate für Windows XP (KB951698)
Sicherheitsupdate für Windows XP (KB951748)
Sicherheitsupdate für Windows XP (KB952954)
Sicherheitsupdate für Windows XP (KB953838)
Sicherheitsupdate für Windows XP (KB953839)
Sicherheitsupdate für Windows XP (KB954211)
Sicherheitsupdate für Windows XP (KB954459)
Sicherheitsupdate für Windows XP (KB954600)
Sicherheitsupdate für Windows XP (KB955069)
Sicherheitsupdate für Windows XP (KB956390)
Sicherheitsupdate für Windows XP (KB956391)
Sicherheitsupdate für Windows XP (KB956802)
Sicherheitsupdate für Windows XP (KB956803)
Sicherheitsupdate für Windows XP (KB956841)
Sicherheitsupdate für Windows XP (KB957095)
Sicherheitsupdate für Windows XP (KB957097)
Sicherheitsupdate für Windows XP (KB958215)
Sicherheitsupdate für Windows XP (KB958644)
Sicherheitsupdate für Windows XP (KB960714)
Skype™ 3.8
Spybot - Search & Destroy
TeamSpeak 2 RC2
The New Adventures of Zak McKracken
Update für Windows XP (KB951072-v2)
Update für Windows XP (KB951978)
Update für Windows XP (KB955839)
VCRedistSetup
VIA Platform Device Manager
VIA/S3G Display Driver
VideoLAN VLC media player 0.8.6f
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows XP Service Pack 3
ZENcast Organizer
zMUD 7.21.0.0
pskelley
2009-01-17, 19:52
I am having a bit of a time with your language, this says userinit.exe is infected.
It is usually fixed when Recovery Console is installed. You may need to translate after I see the next logs?
Infizierte Kopie von c:\windows\system32\userinit.exe wurde gefunden und desinfiziert
Kopie von - c:\qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir wurde wiederhergestellt
Soulseek, BitTorrent <<< all p2p programs must be uninstalled before you proceed.
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.
2) Open notepad and copy/paste the text in the codebox below into it:
File::
c:\windows\system32\klkozxcahgm
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=-
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O3 - Toolbar: (no name) - {0124123D-61B4-456f-AF86-78C53A0790C5} - (no file)
O20 - AppInit_DLLs: lxufjh.dll <<< may be gone
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/
* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html
How is the computer running?
Thanks
This can be done as time permits, but it is important.
Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.
Adobe Reader 8.1.2 - Deutsch <<< out of date, see this:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, look at this one)
Foxit Reader 2.3 for Windows (make sure to uncheck toolbars)
http://www.foxitsoftware.com/pdf/rd_intro.php
Java(TM) 6 Update 6 <<< out of date and unsafe, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Be aware of this information so you can opt out of anything you do not want.
Microsoft Does MSN Toolbar Distribution Deal With Java:
http://searchengineland.com/microsoft-does-msn-toolbar-distribution-deal-with-java-15413.php
Infizierte Kopie von c:\windows\system32\userinit.exe wurde gefunden und desinfiziert
Kopie von - c:\qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir wurde wiederherg
means
Infected Copy from c:\windows\system32\userinit.exe was found and desinfected
Copy of - c:\qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir was recovered
I was supriced Malwarebytes didnt find anything bad. So I couldn't fix a thing.
Hope I did everything correct.
(* Keine bösartigen Objekte gefunden = No bad Objects found)
Here the logs:
ComboFix 09-01-17.02 - User 2009-01-17 19:14:25.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.2046.1575 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\User\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\User\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Neuer Wiederherstellungspunkt wurde erstellt
FILE ::
c:\windows\system32\klkozxcahgm
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\klkozxcahgm
.
((((((((((((((((((((((( Dateien erstellt von 2008-12-17 bis 2009-01-17 ))))))))))))))))))))))))))))))
.
2009-01-17 16:26 . 2009-01-17 16:26 <DIR> d-------- c:\programme\Trend Micro
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\programme\Avira
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-10 18:04 . 2009-01-10 18:36 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2009-01-10 18:04 . 2009-01-10 18:45 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-01-10 17:58 . 2008-04-14 03:23 26,624 --a------ c:\windows\system32\stu2.exe
2009-01-10 14:55 . 2009-01-10 14:55 21,396 --ah----- c:\windows\system32\mlfcache.dat
2009-01-10 14:45 . 2009-01-11 13:13 <DIR> d-------- c:\programme\mIRC
2009-01-10 14:45 . 2009-01-11 19:54 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\mIRC
2009-01-09 17:43 . 2009-01-09 17:43 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\FRISK Software
2009-01-09 17:36 . 2009-01-09 18:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-09 17:35 . 2009-01-09 18:20 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FRISK Software
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\programme\Teamspeak2_RC2
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\teamspeak2
2009-01-07 20:23 . 2009-01-07 20:23 34,064 --a------ c:\windows\system32\lhacm.acm
2009-01-07 18:54 . 2009-01-07 18:54 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\nView_Profiles
2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Logitech
2009-01-02 17:46 . 2009-01-02 17:46 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Leadertech
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-02 17:44 . 2007-11-15 10:06 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-02 17:44 . 2007-11-15 10:07 170,512 --a------ c:\windows\system32\kemutb.dll
2009-01-02 17:44 . 2007-11-15 10:07 141,840 --a------ c:\windows\system32\KemUtil.dll
2009-01-02 17:44 . 2007-11-15 10:07 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-01-02 17:44 . 2007-11-15 10:07 76,304 --a------ c:\windows\system32\KemXML.dll
2009-01-02 17:43 . 2009-01-02 17:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Logishrd
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Logitech
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\LogiShrd
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-31 17:50 . 2009-01-03 00:34 <DIR> d-------- c:\programme\Doxan
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\windows\system32\AGEIA
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\programme\AGEIA Technologies
2008-12-28 00:49 . 2008-12-28 00:50 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-28 00:46 . 2009-01-17 16:34 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-28 00:45 . 2008-12-28 00:45 <DIR> d-------- c:\windows\nview
2008-12-28 00:45 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-28 00:45 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-28 00:45 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-12-28 00:44 . 2008-12-28 00:44 <DIR> d-------- C:\NVIDIA
2008-12-22 15:49 . 2009-01-10 16:01 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\skypePM
2008-12-22 15:49 . 2008-12-22 15:49 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-22 15:47 . 2009-01-10 18:25 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 17:16 --------- d-----w c:\programme\Firefox
2009-01-16 21:17 --------- d-----w c:\programme\Burn4Free
2009-01-16 19:52 --------- d-----w c:\programme\Gemeinsame Dateien\G DATA
2009-01-16 19:50 --------- d-----w c:\programme\Super Mario Blue Twilight DX
2009-01-16 19:50 --------- d-----w c:\programme\Soulseek
2009-01-16 19:42 --------- d-----w c:\programme\Gemeinsame Dateien\InstallShield
2009-01-16 19:41 --------- d--h--w c:\programme\InstallShield Installation Information
2009-01-16 19:41 --------- d-----w c:\programme\Logitech
2009-01-16 19:38 --------- d-----w c:\programme\BitTorrent
2009-01-16 19:30 --------- d-----w c:\programme\Thunderbird
2009-01-16 17:25 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\foobar2000
2009-01-10 22:26 --------- d-----w c:\programme\Zmud
2009-01-09 12:53 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\BitTorrent
2008-12-29 19:29 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\dvdcss
2008-12-07 17:47 --------- d-----w c:\programme\foobar2000
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-20 18:21 47,360 ----a-w c:\dokumente und einstellungen\User\Anwendungsdaten\pcouffin.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-17_16.37.44.26 )))))))))))))))))))))))))))))))))))))))))
.
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\programme\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"ZBroadband Router Utility"="c:\dokumente und einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe" [2003-05-29 319488]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CTCheck"="c:\programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NeroFilterCheck"="c:\programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"VTTimer"="VTTimer.exe" [2005-03-07 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2005-10-31 c:\windows\system32\S3Trayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\User\Startmen\Programme\Autostart\
Logitech-Produktregistrierung.lnk - c:\programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe [2007-04-09 3036688]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Logitech SetPoint.lnk - c:\programme\Logitech\SetPoint\SetPoint.exe [2009-01-02 784912]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Gate-MON V1.10.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Miranda\\miranda32.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\The All-Seeing Eye\\eye.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\E - Quake2\\Quake2\\aq2.exe"=
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-06-10 2560]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2006-02-08 806400]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 19:15:49
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\4F72AD6D614594B9]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:90,fa,28,71,8f,1e,a3,a6
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:4d,03,2a,7c,4b,f9,e6,6b,0b,36,10,b7,04,a2,10,ae,ea,01,ec,c6,a9,8a,e8,
11,4d,18,24,30,7c,7a,91,34,7c,e8,dd,11,de,a0,da,4d,e2,db,b8,b0,3f,d0,d1,67,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(560)
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTServ.dll
.
Zeit der Fertigstellung: 2009-01-17 19:17:55
ComboFix-quarantined-files.txt 2009-01-17 18:17:26
ComboFix2.txt 2009-01-17 15:38:37
Vor Suchlauf: 12 Verzeichnis(se), 18.007.158.784 Bytes frei
Nach Suchlauf: 12 Verzeichnis(se), 17,996,566,528 Bytes frei
197 --- E O F --- 2008-12-17 22:31:41
Malwarebytes' Anti-Malware 1.33
Datenbank Version: 1663
Windows 5.1.2600 Service Pack 3
17.01.2009 20:27:25
mbam-log-2009-01-17 (20-27-25).txt
Scan-Methode: Vollständiger Scan (C:\|)
Durchsuchte Objekte: 139512
Laufzeit: 58 minute(s), 4 second(s)
Infizierte Speicherprozesse: 0
Infizierte Speichermodule: 0
Infizierte Registrierungsschlüssel: 0
Infizierte Registrierungswerte: 0
Infizierte Dateiobjekte der Registrierung: 0
Infizierte Verzeichnisse: 0
Infizierte Dateien: 0
Infizierte Speicherprozesse:
(Keine bösartigen Objekte gefunden)
Infizierte Speichermodule:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungsschlüssel:
(Keine bösartigen Objekte gefunden)
Infizierte Registrierungswerte:
(Keine bösartigen Objekte gefunden)
Infizierte Dateiobjekte der Registrierung:
(Keine bösartigen Objekte gefunden)
Infizierte Verzeichnisse:
(Keine bösartigen Objekte gefunden)
Infizierte Dateien:
(Keine bösartigen Objekte gefunden)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:29:52, on 17.01.2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Programme\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Programme\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
C:\WINDOWS\runservice.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programme\Logitech\SetPoint\SetPoint.exe
C:\Programme\Gemeinsame Dateien\Microsoft Shared\VS7Debug\mdm.exe
C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Programme\Gemeinsame Dateien\Logishrd\KHAL2\KHALMNPR.EXE
C:\Programme\Canon\CAL\CALMAIN.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexStoreSvr.exe
C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Programme\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.de/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programme\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [ZBroadband Router Utility] C:\Dokumente und Einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programme\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CTCheck] C:\Programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [avgnt] "C:\Programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Programme\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Logitech-Produktregistrierung.lnk = C:\Programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Programme\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programme\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Nach Microsoft &Excel exportieren - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\GEMEIN~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Personal - Free Antivirus Planer (AntiVirScheduler) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Programme\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Programme\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programme\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programme\Gemeinsame Dateien\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programme\Gemeinsame Dateien\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Programme\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programme\Gemeinsame Dateien\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 7439 bytes
Pc is running quick and stable as it seems.
Does that mean we're done and through?
pskelley
2009-01-17, 22:40
Pc is running quick and stable as it seems.
Does that mean we're done and through?
Almost, I am glad you translated, I tought we were going to have to hunt for a clean file. Let's do this, then we will close next.
Open notepad and copy/paste the text in the codebox below into it:
Folder::
c:\programme\Soulseek
c:\programme\BitTorrent
Save this as CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Referring to the picture above, drag CFScript into ComboFix.exe.
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Thanks
ComboFix 09-01-17.02 - User 2009-01-17 21:44:09.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1031.18.2046.1576 [GMT 1:00]
ausgeführt von:: c:\dokumente und einstellungen\User\Desktop\ComboFix.exe
Benutzte Befehlsschalter :: c:\dokumente und einstellungen\User\Desktop\CFScript.txt
AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Outdated)
* Neuer Wiederherstellungspunkt wurde erstellt
.
(((((((((((((((((((((((((((((((((((( Weitere Löschungen ))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\programme\BitTorrent
c:\programme\BitTorrent\BitTorrentIE.2.dll
c:\programme\BitTorrent\uninst.exe
c:\programme\Soulseek
c:\programme\Soulseek\attrstrings.cfg
c:\programme\Soulseek\autoaway.cfg
c:\programme\Soulseek\chatrooms.cfg
c:\programme\Soulseek\chatui.cfg
c:\programme\Soulseek\dlbans.cfg
c:\programme\Soulseek\extensions.cfg
c:\programme\Soulseek\hotlist.cfg
c:\programme\Soulseek\ignores.cfg
c:\programme\Soulseek\login.cfg
c:\programme\Soulseek\pchat.cfg
c:\programme\Soulseek\port.cfg
c:\programme\Soulseek\queue.cfg
c:\programme\Soulseek\queue2.cfg
c:\programme\Soulseek\rcmnd.cfg
c:\programme\Soulseek\save.cfg
c:\programme\Soulseek\search.cfg
c:\programme\Soulseek\shared.cfg
c:\programme\Soulseek\ticker.cfg
c:\programme\Soulseek\transfersview.cfg
c:\programme\Soulseek\ui.cfg
c:\programme\Soulseek\userinfo.cfg
c:\programme\Soulseek\usernotes.cfg
c:\programme\Soulseek\wishlist.cfg
.
((((((((((((((((((((((( Dateien erstellt von 2008-12-17 bis 2009-01-17 ))))))))))))))))))))))))))))))
.
2009-01-17 20:56 . 2009-01-17 20:56 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-17 20:56 . 2009-01-17 20:56 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-17 20:55 . 2009-01-17 20:55 <DIR> d-------- c:\programme\Java
2009-01-17 19:27 . 2009-01-17 19:27 <DIR> d-------- c:\programme\Malwarebytes' Anti-Malware
2009-01-17 19:27 . 2009-01-17 19:27 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Malwarebytes
2009-01-17 19:27 . 2009-01-17 19:27 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Malwarebytes
2009-01-17 19:27 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-17 19:27 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-17 16:26 . 2009-01-17 16:26 <DIR> d-------- c:\programme\Trend Micro
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\programme\Avira
2009-01-10 22:09 . 2009-01-10 22:09 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Avira
2009-01-10 18:04 . 2009-01-10 18:36 <DIR> d-------- c:\programme\Spybot - Search & Destroy
2009-01-10 18:04 . 2009-01-10 18:45 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Spybot - Search & Destroy
2009-01-10 17:58 . 2008-04-14 03:23 26,624 --a------ c:\windows\system32\stu2.exe
2009-01-10 14:55 . 2009-01-10 14:55 21,396 --ah----- c:\windows\system32\mlfcache.dat
2009-01-10 14:45 . 2009-01-11 13:13 <DIR> d-------- c:\programme\mIRC
2009-01-10 14:45 . 2009-01-11 19:54 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\mIRC
2009-01-09 17:43 . 2009-01-09 17:43 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\FRISK Software
2009-01-09 17:36 . 2009-01-09 18:19 <DIR> d----c--- c:\windows\system32\DRVSTORE
2009-01-09 17:35 . 2009-01-09 18:20 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\FRISK Software
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\programme\Teamspeak2_RC2
2009-01-07 20:23 . 2009-01-07 20:23 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\teamspeak2
2009-01-07 20:23 . 2009-01-07 20:23 34,064 --a------ c:\windows\system32\lhacm.acm
2009-01-07 18:54 . 2009-01-07 18:54 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\nView_Profiles
2009-01-02 17:47 . 2009-01-02 17:47 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Logitech
2009-01-02 17:46 . 2009-01-02 17:46 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Leadertech
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-01-02 17:45 . 2009-01-02 17:45 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2009-01-02 17:44 . 2007-11-15 10:06 301,656 --a------ c:\windows\system32\BtCoreIf.dll
2009-01-02 17:44 . 2007-11-15 10:07 170,512 --a------ c:\windows\system32\kemutb.dll
2009-01-02 17:44 . 2007-11-15 10:07 141,840 --a------ c:\windows\system32\KemUtil.dll
2009-01-02 17:44 . 2007-11-15 10:07 117,264 --a------ c:\windows\system32\KemWnd.dll
2009-01-02 17:44 . 2007-11-15 10:07 76,304 --a------ c:\windows\system32\KemXML.dll
2009-01-02 17:43 . 2009-01-02 17:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Logishrd
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Logitech
2009-01-02 17:43 . 2009-01-02 17:43 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\LogiShrd
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a------ c:\windows\system32\drivers\mouhid.sys
2009-01-02 17:42 . 2001-08-18 04:22 12,288 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2009-01-02 17:41 . 2008-04-13 20:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-12-31 17:50 . 2009-01-03 00:34 <DIR> d-------- c:\programme\Doxan
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\windows\system32\AGEIA
2008-12-28 00:50 . 2008-12-28 00:50 <DIR> d-------- c:\programme\AGEIA Technologies
2008-12-28 00:49 . 2008-12-28 00:50 <DIR> d-------- c:\programme\Gemeinsame Dateien\Wise Installation Wizard
2008-12-28 00:46 . 2009-01-17 21:03 200,819 --a------ c:\windows\system32\nvapps.xml
2008-12-28 00:45 . 2008-12-28 00:45 <DIR> d-------- c:\windows\nview
2008-12-28 00:45 . 2008-10-02 10:07 453,152 --a------ c:\windows\system32\NVUNINST.EXE
2008-12-28 00:45 . 2008-10-07 13:33 453,152 --a------ c:\windows\system32\nvudisp.exe
2008-12-28 00:45 . 2008-10-07 13:33 18,477 --a------ c:\windows\system32\nvdisp.nvu
2008-12-28 00:44 . 2008-12-28 00:44 <DIR> d-------- C:\NVIDIA
2008-12-22 15:49 . 2009-01-10 16:01 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\skypePM
2008-12-22 15:49 . 2008-12-22 15:49 56 --ah----- c:\windows\system32\ezsidmv.dat
2008-12-22 15:47 . 2009-01-10 18:25 <DIR> d-------- c:\dokumente und einstellungen\User\Anwendungsdaten\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\programme\Gemeinsame Dateien\Skype
2008-12-22 15:46 . 2008-12-22 15:46 <DIR> d-------- c:\dokumente und einstellungen\All Users\Anwendungsdaten\Skype
.
(((((((((((((((((((((((((((((((((((( Find3M Bericht ))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-17 20:40 --------- d-----w c:\programme\Firefox
2009-01-16 21:17 --------- d-----w c:\programme\Burn4Free
2009-01-16 19:52 --------- d-----w c:\programme\Gemeinsame Dateien\G DATA
2009-01-16 19:50 --------- d-----w c:\programme\Super Mario Blue Twilight DX
2009-01-16 19:42 --------- d-----w c:\programme\Gemeinsame Dateien\InstallShield
2009-01-16 19:41 --------- d--h--w c:\programme\InstallShield Installation Information
2009-01-16 19:41 --------- d-----w c:\programme\Logitech
2009-01-16 19:30 --------- d-----w c:\programme\Thunderbird
2009-01-16 17:25 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\foobar2000
2009-01-10 22:26 --------- d-----w c:\programme\Zmud
2009-01-09 12:53 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\BitTorrent
2008-12-29 19:29 --------- d-----w c:\dokumente und einstellungen\User\Anwendungsdaten\dvdcss
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-07 17:47 --------- d-----w c:\programme\foobar2000
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-09-20 18:21 47,360 ----a-w c:\dokumente und einstellungen\User\Anwendungsdaten\pcouffin.sys
.
((((((((((((((((((((((((((((( snapshot@2009-01-17_16.37.44.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
- 2008-03-24 23:28:39 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-01-17 19:56:07 144,792 ----a-w c:\windows\system32\java.exe
- 2008-03-24 23:28:43 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-01-17 19:56:07 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-03-25 00:37:01 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-01-17 19:56:07 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-10 01:35:28 20,853,704 ----a-w c:\windows\system32\MRT.exe
+ 2009-01-17 20:03:32 16,384 ----atw c:\windows\temp\Perflib_Perfdata_46c.dat
.
(((((((((((((((((((((((((((( Autostartpunkte der Registrierung ))))))))))))))))))))))))))))))))))))))))
.
.
*Hinweis* leere Einträge & legitime Standardeinträge werden nicht angezeigt.
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\programme\Gemeinsame Dateien\Nero\Lib\NMBgMonitor.exe" [2007-10-23 202024]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-12-12 196608]
"ZBroadband Router Utility"="c:\dokumente und einstellungen\All Users\Dokumente\Backup von Alten Platten\F - Programme\Gate-MON V1.10.exe" [2003-05-29 319488]
"Adobe Reader Speed Launcher"="c:\programme\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"CTCheck"="c:\programme\Creative\Creative ZEN\ZEN Media Explorer\CTCheck.exe" [2007-11-06 397312]
"NeroFilterCheck"="c:\programme\Gemeinsame Dateien\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\programme\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-09-20 1836328]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-07 86016]
"avgnt"="c:\programme\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SunJavaUpdateSched"="c:\programme\Java\jre6\bin\jusched.exe" [2009-01-17 136600]
"VTTimer"="VTTimer.exe" [2005-03-07 c:\windows\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2005-10-31 c:\windows\system32\S3Trayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-01-11 c:\windows\soundman.exe]
"nwiz"="nwiz.exe" [2008-10-07 c:\windows\system32\nwiz.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 c:\windows\KHALMNPR.Exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\dokumente und einstellungen\User\Startmen\Programme\Autostart\
Logitech-Produktregistrierung.lnk - c:\programme\Gemeinsame Dateien\Logishrd\eReg\SetPoint\eReg.exe [2007-04-09 3036688]
c:\dokumente und einstellungen\All Users\Startmen\Programme\Autostart\
Logitech SetPoint.lnk - c:\programme\Logitech\SetPoint\SetPoint.exe [2009-01-02 784912]
Microsoft Office.lnk - c:\programme\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 10:10 72208 c:\programme\Gemeinsame Dateien\Logishrd\Bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Programme\\Bonjour\\mDNSResponder.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programme\\Skype\\Phone\\Skype.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Gate-MON V1.10.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\Miranda\\miranda32.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\F - Programme\\The All-Seeing Eye\\eye.exe"=
"c:\\Dokumente und Einstellungen\\All Users\\Dokumente\\Backup von Alten Platten\\E - Quake2\\Quake2\\aq2.exe"=
R4 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [2008-06-10 2560]
S3 S3GIGP;S3GIGP;c:\windows\system32\drivers\S3gIGPm.sys [2006-02-08 806400]
.
.
------- Zusätzlicher Suchlauf -------
.
uStart Page = hxxp://www.google.de/
uInternet Settings,ProxyOverride = *.local
IE: Nach Microsoft &Excel exportieren - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 21:45:55
Windows 5.1.2600 Service Pack 3 NTFS
Scanne versteckte Prozesse...
Scanne versteckte Autostarteinträge...
Scanne versteckte Dateien...
Scan erfolgreich abgeschlossen
versteckte Dateien: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8]
"1"=hex:ed,4b,4a,ed,15,23,49,74,5a,62,6c,ea,06,f6,a6,df
"2"=hex:a9,40,80,f3,45,2c,d5,a1,17,53,11,d7,21,de,a4,9e,70,5f,a0,52,5b,27,ae,
65,1c,9d,59,02,eb,37,2c,7a,87,23,4c,1a,3f,83,53,96
"3"=hex:ed,4b,4a,ed,15,23,49,74,b0,26,52,ff,a0,7d,07,31,e6,5f,d4,da,fb,3f,90,
71,75,14,ea,42,77,9a,7a,ec,d4,b7,cc,3b,f4,0a,33,5b,a4,1e,da,46,25,2d,2a,72,\
[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \DA9879757777DAE8\4F72AD6D614594B9]
"1"=hex:1a,dd,98,10,b1,7c,5d,e1
"2"=hex:90,fa,28,71,8f,1e,a3,a6
"3"=hex:81,20,8f,ab,28,6a,52,9c
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,e5,23,7b,b0,66,d6,fc,bc,64,22,fb,7e,d3,39,3e,a3,00,33,13,c0,21,f4,
51,6c,4e,0c,96,e2,dd,ad,8a,b6,c4,05,e8,5a,bd,9a,e9,d4,1a,3d,68,9d,00,32,20
"7"=hex:ed,4b,4a,ed,15,23,49,74,5a,02,d0,c7,f9,dd,f2,e5,3e,e0,99,3d,a8,68,9c,
4f,1f,71,fc,13,23,3b,2c,6b,94,db,ee,08,97,0d,d7,27,bf,b9,1b,eb,26,77,8c,fe,\
"8"=hex:4d,03,2a,7c,4b,f9,e6,6b,0b,36,10,b7,04,a2,10,ae,ea,01,ec,c6,a9,8a,e8,
11,4d,18,24,30,7c,7a,91,34,7c,e8,dd,11,de,a0,da,4d,e2,db,b8,b0,3f,d0,d1,67,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:b6,dd,00,4d,9d,38,11,d1
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:81,20,8f,ab,28,6a,52,9c
"13"=hex:81,20,8f,ab,28,6a,52,9c
"14"=hex:81,20,8f,ab,28,6a,52,9c
"24"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:81,20,8f,ab,28,6a,52,9c
"22"=hex:81,20,8f,ab,28,6a,52,9c
.
--------------------- Durch laufende Prozesse gestartete DLLs ---------------------
- - - - - - - > 'winlogon.exe'(556)
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTWlgn.dll
c:\programme\gemeinsame dateien\logishrd\bluetooth\LBTServ.dll
.
Zeit der Fertigstellung: 2009-01-17 21:47:45
ComboFix-quarantined-files.txt 2009-01-17 20:47:20
ComboFix2.txt 2009-01-17 18:17:56
ComboFix3.txt 2009-01-17 15:38:37
Vor Suchlauf: 11 Verzeichnis(se), 17.781.645.312 Bytes frei
Nach Suchlauf: 11 Verzeichnis(se), 17,771,298,816 Bytes frei
240 --- E O F --- 2009-01-17 20:00:19
pskelley
2009-01-17, 22:54
Remove combofix from the computer like this:
Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Clean the System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
(Optional scan since the last scan was clean)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)
Update the AntiVir PersonalEdition Classic and scan the system, to be sure it is running right and scanning clean.
If all is well at this point, let me know and I will close the topic.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
http://users.telenet.be/bluepatchy/miekiemoes/Links.html
MBAM and Antivir updatet.
MBAM did a clean scan.
Antivir found this as "Trojanische Pferd TR/Dropper.Gen" and deletet (+copy to quarantene)
C:\System Volume Information\_restore{A2CCF1DE-FBC0-4ECD-8B14-F9FEB1B36FEA}\RP1\A0000014.exe
After that and a reboot it did a clean scan.
Hope that I got ridd of all thouse junk ..
Thank you very much for your patiency and all your Help!
I'm trying to use all ur advice in point of keeping my progs uptodate and have a look on em.
Further more, If i may ask you something.
Would you recommend using an additional Firewall Software, or is the Windows integrated Firewall enough protection?
Thx anyways, Igel.
pskelley
2009-01-18, 02:23
That item Antivir found was an infected System Restore file. Did you complete the instructions in the order they were posted? If so:
Clean the System Restore files like this: would have been cleaned and purged before you ran the antivirus program.
As far as security programs, read the links I posted from experts first, those questions should all be answered there. The last link I posted contains freeware security programs.
Thanks...